Focusing On Google Getting Emails & Passwords Via Data Collection Misses The Point: Anyone Could Have Done It
from the total-overreaction dept
Back in May, we were among those who pointed out that it was incredibly bad that Google had accidentally collected data from open WiFi networks with some excess code in its Street View WiFi mapping efforts. A look at what they were doing highlighted how it was almost certainly accidental and no one has shown any evidence that Google did anything nefarious with the data at all. In fact, by all indications, Google didn’t even realize it had collected the data until right before it admitted it.
Today, Google put up a blog post detailing some of the steps it’s taken to better protect privacy, and at the bottom (on a Friday post, no less) the company tries to sneak past the “admission” that in finally going through the data (highlighting, again, that it was really unaware it had this data before) that while it was mostly fragments, in a few instances it did have full emails and passwords. This should not be a surprise. If you understand the technology of what was happening, it would collect mostly useless fragments of info, but if it was passing by at the time that someone was transmitting something like that in an unencrypted format, then of course it would collect that bit of info.
Of course, the press immediately pounced on that one key point, and all the articles this afternoon are trumpeting the fact that Google collected emails and passwords and making that the lead of the story.
But here’s the important point that none of them seem to be pointing out: Anyone could have gotten the same information. I could open up my network connections where I am right now, and see half a dozen or more open WiFi networks. I could connect to any of them, just sitting here, and snarf down any open data for however long I wanted, and I’m sure sooner or later, I’d pick up some emails and passwords from some users who didn’t bother to encrypt and who were using websites that weren’t encrypted. That’s the thing: this data is out in the open for anyone to take. Google didn’t “hack” anything, or do anything particularly different than what tons of people could easily do this very second.
The problem isn’t that Google got an occasional bit of openly transmitted info, it’s that people are still transmitting such data in the open anyway. In an age where so many people think that just having encryption on your computer is a sign of evil, the real problem is that people aren’t being taught to encrypt all of their communications. If that was standard, then Google never would have been able to do what it did… and neither could anyone else.
So for everyone slamming Google for this bit of data collection, why are you not complaining about the fact that someone who actually had nefarious intent can sit at the corner store right now and do the same thing without anyone ever realizing it?
Filed Under: encryption, privacy, street view, wifi
Comments on “Focusing On Google Getting Emails & Passwords Via Data Collection Misses The Point: Anyone Could Have Done It”
Doesn’t Google have passwords to everyone that uses them i.e Gmail, YouTube etc….? So if they wanted to do bad things with passwords. They could use that big ol collection of passwords willing given to them. From people that usually use the same Passwords everywhere they go. To take over the world or do whatever bad things people are insinuating they are trying to collect a random password for???
Seems like driving around in a car is an awfully hard way to maybe collect a random password.
“Doesn’t Google have passwords to everyone that uses them i.e Gmail, YouTube etc….?”
Not necessarily, they only need the password hashsums.
Re: Re: Re:
But if they *wanted* the passwords, they could get them. That’s the point.
Re: Re: Re: Re:
Sort of. The passwords are not stored at all by Google. The passwords are salted, then hashed. The hash is then stored. To authenticate, you send your password in most likely clear text over the internet, which is received, re-salted, hashed, then compared with the hash stored on their server. The data is then cleared via garbage collection, leaving only the unreadable hash. Google COULD change it to plain text, but that’d be an incredibly stupid move for a very large number of reasons.
Re: Re: Re:2 Re:
What should happen is that all browsers should take the login name (email@example.com), take the password, and take the login location (ie:www.google.com/Gmail for Gmail) and hash those three together and send the hash. Goole should then store a hash of the hash. This enables me to login to Google anywhere on any browser and if my hash gets leaked (ie: If Google or whoever sets up a program to monitor my password on their end where https can’t protect me) it only affects that account, even if I use the same password for different Google accounts or for different purposes (ie: yahoo).
There is already a firefox plugin that kinda already does this. It’s called Passowrd Hasher. The only thing is that it should be built into the browser and it needs to add an option for login name as well (in addition to site tag). Sure, one can incorporate the login name into the site tag, but they should be separate fields and the password hasher program should automatically incorporate the login name into the site tag and all of it should be hidden from the user by default (ie: all the user does is type in user name/password and the browser automatically creates the hash and sends it, user doesn’t see the site tag or anything by default) unless the user goes into the options and changes the settings. Password hasher should also have another field called iteration number/letter/additional hash info so the user can change the sent hash by only changing the iteration number for the site in the options (ie: by right clicking the password field and selecting password hash options, a simple dialog box much like password hasher pops up and will remember the iteration number for each site if changed).
If anything I blame the websites for not using SSL for logins. Even if the password is only to someones facebook account that they don’t care about, I’m sure many people use recurring passwords and so those passwords should be protected.
Google’s best response option:
Why would we drive a van hundreds of thousands of miles to get information that we already have?
anyone can sniff packets of data provided that they have the right tools and knowledge to decrypt it. As for google privacy issues are so common that almost all enterprise companies have strict policies. For sure informations will be leaked, there’s always human intervention in handling data– although some may not be direct, humans will still be humans
This whole “accidentally collecting WIFI information from millions of users” sounds like a Department of Homeland Security (or whatever in whatever country) thing. I mean for vehicles to traverse entire cities with cameras whose main purpose is to take pictures, since when do digital cameras come with WIFI sniffing equipment? And if nation security (for whatever country) did work closely with Google to sniff WIFI data in entire cities, do you seriously think they’ll openly admit to it or completely deny it calling it all an accident?
Hog wash. This sounds like a national security cover up to spy on WIFI’s so as to try to track covertly placed data transmissions.
This whole “accidentally collecting WIFI information from millions of users” sounds like a Department of Homeland Security (or whatever in whatever country) thing. I mean for vehicles to traverse entire cities with cameras whose main purpose is to take pictures, since when do digital cameras come with WIFI sniffing equipment?
They don’t. But Google never was just using street view cars for photos. They’ve been mapping WiFi access points — which is a perfectly reasonable thing to do (a bunch of companies do that). It was *that* software that caused the problem.
Re: Re: Subject
Right, and I don’t disagee that it’s legal or that Google was intending to map wifi access points while taking the photos.
However, first and foremost, the only reasonable way to triangulate a router location is to intercept packets from it and use the times from the packets to measure a distance. For Google to say that they didn’t intend to intercept packetsis deceptive at best and flat out lying at worst. True enough that Google likely had no intent for using anting the snooped but the certainl intended to intercept. True also that these packets came from unsecured networks and the people using them have no real privacy because of that in this case. Although, I could argue that peeping tom laws could potentially be applied in some crazy aspect. Say, I live in a rural area with no houses around, and I’m standing naked by my window; you take my picture run off. While I’m definitely breaking exposure laws, it’s been ruled that I have a right to privacy in my home from people who wish to snoop.
Secondly, the issue I take with this situation is not that they unintentionally packet snooped some emails and passwords, it’s that they intercepted packets to begin with. No, it isn’t likely to be found illegal but it makes me question what the use would be for knowing where wifi networks are located. In the case of a Panera Bread or a Starbucks, they don’t need to triangulate anything because they know where the hotspot is just by using their eyes to read the network I’d and to see the store loation. What use do they have knowing private network locations?
Re: Re: Re: Subject
“… the only reasonable way to triangulate a router location is to intercept packets from it and use the times from the packets to measure a distance.”
“… the issue I take with this situation is not that they unintentionally packet snooped some emails and passwords, it’s that they intercepted packets to begin with.”
“Say, I live in a rural area with no houses around, and I’m standing naked by my window; you take my picture run off. While I’m definitely breaking exposure laws, it’s been ruled that I have a right to privacy in my home from people who wish to snoop.”
Anything viewable from a public right-of-way is fair game. Close your drapes.
Re: Re: Re:2 Subject
Thanks for your thoughtful and reasoned comment.
In response to your only point, as I stated previously, courts have ruled in favor of privacy in open window cases.
Say you are walking down the street and glance over and oops, your neighbor is changing clothes stupidly in front of an open window. No big deal, because you kept walking. The only problem was them.
In the same scenario, say that you stop to take a picture of your naked neighbor. Now you have crossed the line and have violated the privacy of your neighbor by ‘capturing the moment’. In the same respect, google was looking into your wifi network and saving data. I wish I could cite an example right now but I’m limited to my phone at the moment so I’ll dig something up later if you are interested.
Note that I’m not truly advocating seeking such a claim against Google. I only offered that for arguments sake.
Re: Re: Re:3 Subject
“In response to your only point, as I stated previously, courts have ruled in favor of privacy in open window cases. “
Really? Citation needed (seriously.)
(And yeah, I realize we’re past talking about Google here. It’s an interesting subject in its own right.)
Re: Re: Re:4 Subject
I also think there is a difference between taking a picture of everything and having some private info accidentally wind up on the pic vs taking a picture of the private info for the sake of taking a picture of the private info.
Re: Re: Re:3 Subject
“””In response to your only point, as I stated previously, courts have ruled in favor of privacy in open window cases.”””
Really? Eric Williamson might disagree with you… although admittedly I don’t know whether or not he was actually convicted, but I strongly suspect the charge will stick.
Re: Re: Re:4 Subject
I think that particular charge was BS (they were trespassing at the time of the “offense”) but yeah, it does show how the law is applied.
Re: Re: Re: Subject
Google actually explained this. Follow the threads back in the TechDirt posts and I think it will eventually lead you to their official blog posts.
The are mapping Wifi routers so they can use their positions to approximate / triangulate location without GPS. This allows them to determine a location when GPS is unavailable (no GPS antenna, clouds, indoors, etc.) or when they are trying to save power on a device (powering up the GPS is costly). They are not the first company to be doing this and it makes a lot of sense for them to do it since they have the cars driving around anyway.
As for why they saved the data – it appears to be an accident. Wifi sniffing actually happens by your Wifi antenna by default. It captures all Wifi data and filters it by the SID you are actually “connected” to. So, as you walk past access points, you are collecting as much data as they are (time to put YOU in jail!). Normally, this is fleeting data that is dumped out of memory and gone. They saved a bit of it to determine the time it takes between communications – thus helping them locate the access point more effectively. They had some test code that then dumped the data they had collected and saved it for further analysis. This was initially done to help their developers work on the algorithm for locating the access point. When they went live, they forgot to stop the logging – any decent developer will tell you that have made the same mistake.
Google fessed up to this on their own. They made no attempts to brush it under the rug. They spent the time to analyze what they collected to make sure it was nothing bad. They also refused to give this information to anyone else.
They are not perfect, but this does not look like some big conspiracy.
Mike, generally I agree with your view point on the issues you discuss but I will have to differ on this.
I drive down city streets all of the time, occasionally even with a laptop open with the wifi antenna still on. I have yet to see any packets just happen to get saved to my computer though. I don’t dispute that the information gained is meaningless at best to a giant company. However, in in what potential use does Google have to triangulating every wireless router? As your example in a previous post, Panera Bread is a wifi hotspot for customers and that is something that could be useful overlayed onto Google maps. Driving down private streets on the other hand, what use would Google have to know where privately owned (even if stupidly unencrypted and public by ignorance)?
You never seem to justify what use having a ccompletely mapped wifi overlay of the world would be. I am more interested in that than how Google happened to intercept packets that include emails and passwords.
You really can’t think of ANY case in which wifi mapping information would be useful? Really? Did you think about it? What if you had your laptop with you and wanted to know where the nearest open wifi was? What if you were wondering if the airport at your layover has any open wifi? What if you took a business trip to Macao, your contact wants to go outside the city for an inspection, and you are wondering if there is wifi near your destination so you can email your boss the results? What if you don’t want to use your blackberry for anything sensitive in India, and would rather use your laptop?
You really can’t think of anything?
Your lack of imagination aside, people often new and imaginative ways to use large datasets. Comparing types and offerings of wifi in different countries or cities would be one use. Creating cool infographics based on wifi availability over time would be another. Illustrating a technology gap between rural and urban areas would be interesting by itself, and could also be used to support other theses. Lots of times, after assembling data and making it available, users come up with amazing things that nobody, not even the creators of the data, could have foreseen.
Re: Re: Re:
I don’t appreciate the way you responded to a general inquiry with a personal attack. Of course I thought of those ideas. I discuss it in other posts here in fact.
There would be no problem if what Google was doing were looking for open wifi hotspots in business areas where people congregate. However, it seems pointless because most of these places advertise having wifi access and therefore, the role of Google is negated in commercial places.
The idea where you propose that someone need to find if there is wifi in the area can do so from the wifi device without Google as well.
Creating infographics of wifi dispersion could possibly be interesting from a trivial standpoint but mostly useless in application.
I have thought of all the ideas you mentioned as well as others for being possible justifications for Google triangulating access points, but all of them are either useless or are providing fixes for problems that don’t exist. So in essence, everything you mentioned isn’t a problem for people. Also, notice how I didn’t resort to personal attacks to make my claim. Next time, leave your personal attacks at the door when responding. Rather than embarrass me, it only makes you seem unable to thoughtfully respond.
Re: Re: Re: Re:
You missed the main one, and likely the true reason for Google mapping access points: geolocation.
If your phone does not have GPS, or is somewhere GPS does not work well (for instance, where there are lots and lots of tall buildings), your phone can list all the access points it can see and their signal strengths, send that info to Google, and the Google servers will do the triangulation and tell your phone where it is (with less precision with a GPS, of course, but within a hundred metres).
It is the same as Skyhook Wireless’s business model, in fact.
Re: Re: Re: Re:
Only once they are there, is there a way for “someone” to find out if there is wifi without being out there already. Being able to check something that you think the rep is lying about could be very useful when in the field. “do i grab all the spec data before I leave, or do I wait and see if i need it.
Also If you know the place an AP is at, you can use it as rudimentary GPS style system. AP names could be used as form of advertising.
The real issue here, is like Mike says, that anyone one that has a computer in a car could actually try to get this data and do a much worse things with it.
There really needs to be a mandate that consumer grade wifi points(routers, bridges, etc) ship with the wifi off, and require a scary message if you go to disable the encryption. Also website should, of their own accord, start requiring SSL for login data.
They (that is, the people entrusted with providing the illusion of security) don’t care about *actual security*. They’d prefer it if people didn’t encrypt their emails, etc.
Also, likely, they’re hoping to wring some dollars and/or favors out of the company they’ve demonized.
anyone could have done it, is THAT your defense ???? LOL
Yes Mike anyone could have done it…
BUT GOOGLE DID IT..
Anyone can kill people, steal, cheat, rob, but only certain people actually DO IT..
So your sticking up for google ‘because anyone could have done it’..
Gee, what a weak argument,
Sure, anyone could have gotten the information, but they DID NOT..
Googlag did !!.
Anyone could kill a person as well, but they didnt..
Re: anyone could have done it, is THAT your defense ???? LOL
Well, darryl obviously you don’t even care to see Mike’s point. By a large margin you just scribbled on your monitor and read where the lines crossed I guess? You see, GOOGLE is being fingered like a citizen who walks by a dead body and out of worry, curiosity etc goes to check just to be CAUGHT in the act.
Google like any other company has its shady parts by far but in this instance Mike is right in saying this is not being viewed in a PRODUCTIVE way. Instead its just a bunch of clamoring to see who can stick what to who and not spreading awareness of PRIVACY that should matter to those that choose to care. SO, once again if Google did then its no surprise why other breaches have happened so often.
Anyone could of dont it,, even Mike, but Google DID IT..
But here’s the important point that none of them seem to be pointing out: Anyone could have gotten the same information. I could open up my network connections where I am right now, and see half a dozen or more open WiFi networks. I could connect to any of them, just sitting here, and snarf down any open data for however long I wanted, and I’m sure sooner or later, I’d pick up some emails and passwords from some users who didn’t bother to encrypt and who were using websites that weren’t encrypted.
So you Mike are the HERO of the moment, because even though you are capabale of breaking the law, you choose not too !!!..
WOW, im SOOO proud of you, fancy being faced with a possible crime and being moral enough not to commit that crime.
And based on that logic, even though google commited the crime, because ‘anyone could have done it’ then its OK for them TO DO IT..
If they issued medals for not commiting crimes that you could commit, im sure you would have alot of them..
I also note that you are still defending google, and claiming its only because they are totally stupid and technically inept that they ‘accendently’ snooped sensitive data, and did not realise it until someone else told them, after a year or more and in multiple countries.
And we are supposed to believe you Mike, or believe Google.
Google did bad, Google got caught, and Mike tries to defend to indefencible. as usual..
So I have my windows open here, anyone could break into my house right now, but only CRIMINALS actually will.
The fact that anyone could have done it makes no difference. (except in your mind)..
I dont know, but it seems you are getting more and more desperate to show you ‘argument’, regardless of logic and the real facts.
So you might want to explain to us, why you think that if anyone could have done something, that would make that act ok, if that act is an illegal, unethical, stupid thing to do ?
Yes, judge, I killed that man, ran him over with my car, that is true, but im not guilty of time crime your Honor, because of one simple fact, ANYONE COULD HAVE DONE IT, sure it was ME who did it, but ANYONE could have.. so im innocent
LOL,, it must be Friday !!!!.. .
Re: Anyone could of dont it,, even Mike, but Google DID IT..
I walked down the street yesterday talking on my cellphone. I passed you and your heard my conversation. Please report to jail immediately.
Re: Anyone could of dont it,, even Mike, but Google DID IT..
What is illegal?
A better analogy would be: Walking down the street, Google picked up some litter. Anyone could have done it, but Google did do it.
Re: Anyone could of dont it,, even Mike, but Google DID IT..
“if that act is an illegal, unethical, stupid thing to do”
I think you need to settle down, take whatever relaxes you, and think.
WiFi is a radio transmitter. As such it uses the public airways. So if you’re fool enough or simply don’t care enough, you can leave a WiFi transmitter open and leave it at that.
IF someone driving by, for whatever reason, intercepts the unencrypted signal then that someone has certainly not done anything illegal, immoral or stupid. By not encrypting the signal that someone has consented to that. Pure and simple.
Your comparing this to a case of running over a pedestrian and killing that person (not always a murder charge or any kind of criminal charge incidentally) doesn’t hold even so much as a quarter teaspoon of water because they are not comparable.
By the way, your example would indicate that “you” had either deliberately run the pedestrian down or were committing a criminal act while doing it for example impaired driving, driving with undue care and attention or a host of others or simply criminal negligence, say road racing.
As Google broke no criminal law in doing this it’s impossible to draw that parallel.
As for collecting and mapping WiFi locations it’s anything but illegal or unethical. It’s completely legal and ethical as an aide to navigation. (On land or sea if not as much in the air.)
WiFi signals like those of cell tower signals are send within the FM band and are frequency modulated even if they use a higher band which means they’re directional.
Mapping them along with other known directional radio sources aids shipping in places like the straights between Vancouver Island and the British Columbia Mainland and along the Inside Passage of British Columbia and Alaska. It becomes particularly important when geo-locating satellites fall below the “horizon”, say behind a mountain, and can no longer be used. If the navigator of a ship or the driver of a car can find three known WiFi sources instead of the now “disappeared” satellite they instantly know where they are.
And you’d be astonished at how much WiFi there is out there on the Inside Passage or the open ocean off the coasts of Alaska, British Columbia, Washington, Oregon and California even if the lack of human population there makes them “remote”.
No one is piggybacking on the signals, sending kiddy porn or cartoons featuring our favourite darryl in comprising positions or other such nasty things — they’re navigating. Nor do they need an unencrypted signal to do that.
According to you they can’t do that.
Of course, what is highly illegal is interfering with aids to navigation but that’s another story.
Re: Re: Anyone could of dont it,, even Mike, but Google DID IT..
Sorry, for a start, ships DO NOT navigate by WiFi points.
The fact is, Mikes argument is this
“Sure, Google collected data that they were not supposed too, sure they were either totally away of their actions (after all they did it over years, and several countries dont forget). But because ANYONE could have done the same thing (ie an illegal or unethical act) then it is ok for Google to have done it”.
The trouble is Google is not some 14 year old kid, out with his mates war driving, or some hacker in a basement somewhere.
Its a multi-national HUGE company that has a vast amount of information on a vast amount of people, and subjects.
Google uses INFORMATION to make money, that is how google works, so ANY information they can gather may now or in the future enable them to make more money.
So you think a company with such expertise in gathering, and storing information would make such a stupid mistake, and keep doing it over year, and in several countries.
It’s clear Mike does not want to show that information can be gathered and used by big industry, and that big industry does not have to be accountable for their actions, and being an apoligist for Google, after all it seems Google provides funding and financial support for Techdirt.
BTW, just because something is broadcast by radio does not (legally) mean that you have a freedom right to listen, or decode that signal.
The law grants an expectation of privacy, that means that just because you have windows in your house, that does not mean it is ok for someone to look it. (EVEN IF THEY CAN).
Same applies to communications, and normal social interactions.
that expectation of privacy (not stopping and watching the person getting dressed in their house, or sniffing your wifi) is not limited to individuals, but far more importantly is that big business that deals with sensitive information (what people search for, for example). Should be even more carefull, and considerate to their civic and public responsibilities.
But Mike getting up and appoligising for Google, and still trying to claim it is all some simple mistake does not cut it.
If google did make such an error, over the several year and serveral countries they did it in. Then you have to question their technical ability (which is proven to be competitent) or their motives.
In other words google would not make a ‘mistake’ like this, and if look at the extent of their activities its not one mistake its thousands and thousands of stuip rooky errors. That they did not discover for YEARS.
That just does not work, its clear google knew what they were doing, they kept doing it until someone blew the whistle on them. And they had to admit their activities.
So I still do not trust google at all, and have not used Google for years.
I certainly dont miss it, but I do object to having to pay a google tax on everything I purchase.
Re: Re: Re: Anyone could of dont it,, even Mike, but Google DID IT..
“””BTW, just because something is broadcast by radio does not (legally) mean that you have a freedom right to listen, or decode that signal.”””
I think i would should it be hear-able in the clear from a public space, aka the road. How is this different that standing on your roof with a bull horn?
Google knew they were grabbing packets, the only way to get the info that an AP exists. They then noticed they had some data they did not mean to grab; doing the filtering in realtime is resource intensive. Google then came out and said “opps we got some of this data what does the law say we should do with it?”.
There is a difference between “gather and store” and “gather temporally store, process, and store useful information”. Google is good at the latter, and anyone with enough harddrive space can do the first.
How do I do that?
do what? dump packets? see kismet and pcap/wireshark. I’ll let you use google to find them, but they are non shady, and quite useful professionally.
Oh, yes, Mike, Google is an *accidental* data vacuum.
Recording searches for 18 months.
Tracking everywhere through doubleclick and other web parasites.
And of course SELLING your web history to whoever.
And accidentally dodging US taxes through the “Double Irish” trick for 2.4% rate:
I’d go on, but other posters have already made good points.
Google already use the WiFi data in google maps on android.. My phone triangulates my position pretty accurately – even with GPS switched off whilst indoors! (except at work since we just moved office – Google maps still thinks I am in my old office nearly a mile away!)
The thing is, thousands of Android phones are sending the access point data back to google all the time as well – when setting up my phone I have an option that I have to choose to prevent this from happening.
“However, it seems pointless because most of these places advertise having wifi access and therefore, the role of Google is negated in commercial places.”
My understanding is that Google is gathering WiFi data to power their Geolocation API, which is used in Google maps, Android, etc, as Rabbit80 notes.
I presume it works as follows: When they find WiFi (open or secured), they note the SSID and MAC address, as well as the location of the streetview van. In the future, if an android device sees that it’s connected to an access point using that MAC address, the Geolocation API can tell it roughly where it is.
For open wifi, Google could go a step further and connect to the wifi, check the public IP address for the connection, and disconnect. Then Google Maps would be able to Geolocate you, without information about the access point you’re connected to.
Google wouldn’t need to intercept packets in order to triangulate a router’s position. Wifi routers constantly send out a “beacon” with their SSID to allow you to connect to them. If Google measures the signal strength of the beacons they receive, they could get a decent estimate of the location of a router (within a block or two) without ever connecting to it or intercepting data.
” In the future, if an android device sees that it’s connected to an access point using that MAC address, the Geolocation API can tell it roughly where it is.”
Just as Google don’t need to connect to the access points, neither do the android devices.
Those “beacon”s you mention are packets. And filtering them out of the the whole mess of wireless packets you can receive in a dense network is resource intensive.
Simply put, while they don’t connect to them, they do see the packets, and if we used directional antennas there would be less risk, but you would have to go and point your AP at your computer then.
What to keep the evil google from getting your dataz on your “Wirefi” use encryption, and good encryption. Last I knew even WPA2 was crackable given enough time at the AP, so better use a VPN.
Re: Re: Re:
“Last I knew even WPA2 was crackable given enough time at the AP, so better use a VPN.”
Since I’m a bit of a crypto-geek, I just want to point out that ALL encryption is crackable ‘given enough time.’
Now, enough time may be ‘until the heat death of the universe with current technology’ but that doesn’t mean that whatever encryption scheme you’re using for a VPN is not crackable. And it also doesn’t mean that some new technology couldn’t be developed that could make all existing encryption obsolete (theoretical quantum computers, but I’m not holding my breath on those ever working the way some think they could).
Re: Re: Re: Re:
Come on crypto-geek, you know about one-time pad encryption don’t you? No amount of time is enough to crack it! It’s almost uselessly difficult to use, but still, it’s unbreakable.
The standard practice involving password storage with our development team is to program an interface that accepts a password and then uses MD5 encryption on the password. If you know what I am talking about then you know that MD5 has no decryption method. So if you lose your password then a new password has to be issued. Most SQL databases are designed to deal with passwords in this manner. Even though it is not 100% foolproof, it requires an advanced knowledge of the core code in programming languages in order to crack it. The main advantage is that in a continuous stream of data it is extremely difficult to isolate encrypted characters into anything meaningful.
MD5 is actually not that hard to crack. You might want to pass on to your development team that they should consider a more secure algorithm, such as SHA-512.
Also, those algorithms are generally referred to as “hashing” not “encryption”. I’m not arguing whether semantically it’s encryption or not, just pointing out standard usage.
The main advantage is that in a continuous stream of data it is extremely difficult to isolate encrypted characters into anything meaningful.
Actually it doesn’t have anything to do with a stream of data since this all occurs on the server, not during communication between the server and the client. The advantage of hashing passwords (especially salted passwords) is that even if an attacker gains access to the database, they won’t have access to any passwords.
Interception of electronic communication is still *illegal*
Doesn’t matter who did it, or who COULD do it. People should protect themselves from this just as we try to protect ourselves from any other illegal activity.
Re: Interception of electronic communication is still *illegal*
“It shall not be unlawful under this chapter or chapter 121 of this title for any person—
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public; “
Sounds like the exact definition of what Google did.
Re: Re: Interception of electronic communication is still *illegal*
They’ve admitted that they intercepted encrypted data as well, but did not store it.
Re: Re: Re: Interception of electronic communication is still *illegal*
Unless they decrypted it, I don’t see what difference that makes. They only intercepted what was readily accessible: the ciphertext.
wow some people are really anti-google arnt they!
As for why would they want wi-fi locations when their allready advertised? Well google was working on a public transport timing map to intergrate into their mapping software(not sure if its finished yet). That info’s available elsewhere, but it would be nice to have it intergrated.
Why all the whining? Really its not that important, as pointed out, they could get the passwords other ways. Everyone knows they sell marketing information, thats no reason to shout “omg google has wifi information!”.
I think too many people are having way to much caffeine in their drinks today
LIES!!!!! Everything Gargle does is intentional and evil!!!!! They’re going to use all this stolen data to somehow target ads at people and make money from it!!!!!
See?!!!! They admit that they were intentionally recording everyone’s passwords!!!!!
No they couldn’t!!!!! The fact that it’s illegal to do so provides a magical shield that prevents anyone from doing something like this. That’s why what Goggle did makes them so evil!!!!!
If you did that, you’d be immediately arrested and thrown in jail. That’s why it’s so unfair that Gobble is getting away with blatantly and intentionally breaking the law!!!!!
No it isn’t!!!!! It’s protected by LAW!!!!!
Why should they have to, when the law already protects them?!!!! Just like the law protects you from having any embarrassing photos taken of you while you’re out in public, since it’s absolutely, completely illegal to photograph anyone or anything without a signed, notarized, permission slip, filed in triplicate. Um, except for the photos I use on my web site, those are ok.
Because Groggle is EVIL!!!!! See, they put ads on their web sites and use them to make a profit, so they’re EVIL!!!! Sure, I put ads on my web site and tried to use it as the main source of income for my family, but that’s OK, because I’m not EVIL like Guttle is!!!!!
Come on over to my web site and I’ll set you straight on how EVIL Garble is. I let everyone have their say, as long as they don’t disagree with me. I only delete the occasional comment from Guggle fanbois who try to defend this obviously EVIL company. Or who criticize me. Or criticize my sponsors. Or that I don’t deem worthy of being allowed to stay on my web site. Really, it’s not more than 10-20 a day or so…
Reminds me of "limited hang-out", a favorite of spooks.
When you get caught, or sometimes even if merely suspected, confess to some *minor* parts of what you’re doing. Intent is to avoid further scrutiny. As even others mention above, Google could more directly get this information, or similar — I think it certain that they do — so this *minor* kerfuffle is at least being tried to turn into a postive: “See, we confessed soon as we noticed! Aren’t we good? — Now ignore all the things we do that add up to a hundred times worse.”
I think you’re missing the point. It’s not that the data collection is easily available (widely known to most people with even a passing interest in security), it’s that the collection was over so broad a group.
Take the classic blacklisting. The power of the blacklist comes from the fact that it is One Giant List, not several little blacklists not shared amongst various people. If I say, “You’ll never work in this town again,” then mark your name in a little notepad, and I never show that notepad to anyone, that threat means nothing.
That notepad, though, when shared and updated by thousands of employers, suddenly begins to mean something.
Similarly, one dude driving through my neighborhood collecting information does not have the same impact as one of the largest corporations in the world (large, as in extent of data) driving through many, many neighborhoods.
Similarly, one dude driving through my neighborhood does not already have a ton of information about me, whereas Google does. Again, integration of the data is what contributes to the threat.
Anyone Could Have Done It........Could YOU ?
No certainly NOT ANYONE, you could not do it Mike, I could not do it, and I would guess none of your readers here would have the resources, time, money and desire to drive all over a country logging and collecting data.
So using the strawman argument that “anyone could have done it” is wrong, and really misleading to the point of out right lie.
NO, Mike, it would be next to impossible for ‘anyone’ to do this on this scale, and time frame.
So from your list of “anyone” who on that list would have the resources, ability and desire to do it ?
One-time pad encryption is just as easy to break than conventional encryption.
It might be much hard to decrypt, but that is because each message has it’s own key. It just means you have to decrypt each message individually.
Back to Mike, tell us how “ANYONE COULD DO IT”.
You could not do it, none of the readers here could do it.
Google could do it because they have alot of money to instigate such a system.
But to say ANYONE could do it is an outright lie..
I guess if Google are sending you money each week its hard to be too critical of them. You might upset them !!